Introduction to international data transfers Jonathan Holbrook – Head of Data Protection Practice Geraldine Dersley – Solicitor (Head of Legal Profession)
What does the DPA say about international transfers? Is there a recommended approach to complying with the law? What about the machinery of international transfer compliance? What does the future hold? Introduction
ICO’s role and authorising transfers • ICO provides general advice and guidance • ICO does not routinely authorise one-off arrangements • BCR authorisations
Guidance • “The Guide to Data Protection” (Section B8) • “The 8th Data Protection Principle and international data transfers” • BCR – FAQ and detailed guidance documents • (http://www.ico.gov.uk/tools_and_resources/document_library/data_protection.aspx) • Model contracts
International transfers and the law • What does the Directive say? • Article 25(1) of Directive 95/46/EC: • “Transfers may only take place to a third country providing an adequate level of protection.”
International transfers and the law • What does the DPA say? • 8th Data Protection Principle: • “Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
Recommended approach – initial considerations • Do you need to transfer personal data? • Is there a transfer? • Does the 8th Principle apply? • Have you complied with the other principles?
Transfer within EEA • There are no restrictions on transfers to EEA countries • These are currently: • Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, • Estonia, Finland, France, Germany, Greece, Hungary, Iceland, • Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, • Malta, Netherlands, Norway, Poland, Portugal, Romania, • Slovakia, Slovenia, Spain, Sweden, United Kingdom
Transfer outside the EEA • Has there been a finding of adequacy under Article 25(6) of • the Directive: • “The Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.” • Countries with findings of adequacy: • Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, • Israel, Andorra
Safe Harbor • Is the transfer to a member of the US Safe Harbor? • US Department of Commerce website? • Voluntary mechanism for US organisations agreeing to: • 7 principles of information handling • be held responsible for keeping to those principles by the Federal Trade Commission or other oversight scheme
Adequate level of protection • In other cases, transfer can go ahead if data controller is • satisfied in the circumstances that there is adequate level of • protection. You can:- • Assess adequacy yourself • Use contracts including the European Commission approved model contractual clauses • Get your Binding Corporate Rules approved by the Information Commissioner • Rely on exceptions from the rule
Assessing adequacy • Data controllers required to ensure adequacy of protection in • all the circumstances of the transfer including: • Nature of personal data being transferred • Use of personal data and for how long • Laws and practices of the destination country • Extent to which the country has adopted DP standards • Whether you can ensure that the standards are achieved in practice • Whether there is effective procedure to enforce individual rights and obtain compensation
Implementing adequate safeguards • Article 26(2) of the Directive • “Member States may authorise a transfer to a third country which does not ensure an adequate level of protection where the controller adduces adequate safeguards with respect to the protection of privacy; such safeguards may in particular result from appropriate contractual clauses.”
In layman’s terms… • You have decided a transfer is taking place • The data are going to a third country not on the approved list and not covered by Safe Harbor • You have assessed that, in some areas, adequate protection does not exist • Article 26(2) is a basis for introducing safeguards that “fill the gaps”
Model contracts • EC and ICO approved contractual clauses • Controller to controller; controller to processor • Contracts place obligations on “exporter” and “recipient” • No changes to model clauses
Binding Corporate Rules • Internal code of conduct for transfers within a multinational group but outside EEA • Approved by relevant European data protection authorities • Rights for individuals • Working Party documents: WP74, WP108, WP154
BCR application • Applications must include: • Evidence that the rules are binding • Description of the processing and data flows • Safeguards • Mechanism for reporting and recording changes • Safeguards
Other exceptions • Article 26(1) of the Directive and Schedule 4 DPA • Good practice • ensure adequate protection if it is possible to do so and only rely on an exception if it is not • Rights of individuals will weigh heavily against the interests of the data controller
Exceptions • Consent • Contract performance • Substantial public interest • Legal proceedings, advice or rights • Vital interests • Public register
and finally… • Have you recorded the basis on which your decisions have been taken?
Subscribe to our e-newsletter • at www.ico.gov.uk • Follow us on Twitter • at www.twitter.com/iconews